Pentester

The OWASP Top 10 is a standard awareness document published by the Open Web Application Security Project (OWASP) listing the ten most critical security risks to web applications. It is updated periodically based on data from real-world vulnerabilities and is widely used as a baseline for web application security testing and development. The 2021 OWASP Top 10: 1. A01 — Broken Access Control: Users can act outside their intended permissions. Includes IDOR, privilege escalation, and missing function-level access control. 2. A02 — Cryptographic Failures: Weak or missing encryption exposing sensitive data. Previously called "Sensitive Data Exposure." 3. A03 — Injection: SQL, NoSQL, OS command, LDAP injection. Attacker-supplied data interpreted as commands. 4. A04 — Insecure Design: Architectural flaws that cannot be fixed by correct implementation alone. 5. A05 — Security Misconfiguration: Default credentials, open cloud storage, verbose error messages, unnecessary features enabled. 6. A06 — Vulnerable and Outdated Components: Using libraries, frameworks, or OS with known vulnerabilities. 7. A07 — Identification and Authentication Failures: Weak passwords, missing MFA, broken session management. 8. A08 — Software and Data Integrity Failures: Insecure CI/CD pipelines, unsigned updates, unverified deserialisation. 9. A09 — Security Logging and Monitoring Failures: Insufficient logging, missing alerting, undetected breaches. 10. A10 — Server-Side Request Forgery (SSRF): Server makes requests to attacker-controlled destinations. As a pentester, the OWASP Top 10 is your core testing checklist for web application engagements.